2

I'm struggling with a networking issue.

I have a Docker instance running on 172.17.0.14 with all the containers on the 172.18.0.0/24 network. With Vagrant you would do something like sudo route add -net 172.18.0.0 netmask 255.255.255.0 gw 172.17.0.14 to access the subnet.

However, when I run route add inside the container I get

SIOCADDRT: Operation not permitted

What can I do? Is there anything like Socat? I don't want to add the NETCAP capability.

martin
  • 3,149
  • 1
  • 24
  • 35
Ben Hall
  • 1,927
  • 5
  • 25
  • 39

1 Answers1

4

You need the right permissions for this. Apparently, there are at least two ways do do that:

One from here:

docker exec --privileged container ip route add default via 172.17.0.14 dev eth0

The other option is to expose the netns from here:

pid=($sudo docker inspect -f '{{.State.Pid}}' container)

sudo mkdir -p /var/run/netns
sudo ln -s /proc/$pid/ns/net /var/run/netns/$pid

sudo ip netns exec $pid ip route add default via 172.17.0.14
Community
  • 1
  • 1
martin
  • 3,149
  • 1
  • 24
  • 35
  • It's worthy to mention that `--priviledged` is generally considered dangerous as it grants your docker container extra linux capabilities (e.g. CAP_SYS_ADMIN, etc.) that it would normally not have. It effectively disables most docker isolation features, hence keep in mind the environment where this would be used and it's level of trust. – link_boy Aug 17 '20 at 15:00